In 2014, Will Your Security Team be Driving New Value, or Responding to Yesterday’s Threats?
In the 1940s, Peter Drucker wrote that one of the keys to organizational success is to publicly commit to specific, measurable goals. It is as relevant for a high-tech software company today as it was at General Motors in the years following the end of World War II, and I challenge my staff to do so every year as we enter into our annual planning process.
The value in the exercise is in the accountability that it establishes, creating an incentive to stretch a bit further towards outcomes that drive growth and innovation. It is human nature to do what is comfortable, but to quote a somewhat more contemporary management consultant, what got you here won’t get you there. A secondary (but perhaps more important) result of public commitment to specific outcomes is that it fosters a discussion around identity and direction. If strategies and goals fail to mesh with that common vision, they can be quickly identified and set aside, without investing time and effort into activities do not lead the company towards increased success.
As 2013 wanes, it makes sense take a few steps back and look at the state of the cloud and how it fits into the plans our customers and friends have been sharing with us. End of year retrospectives are fairly typical — my company posted one as part of our newsletter to our customers, and I seem to receive a new one in my inbox daily — but of the ones that discuss cloud strategy, most seem to be saying the same things: the cloud is finally taking off, companies are moving their data into a hybridization of cloud platforms (such as the adoption of both Salesforce and Google Apps), and accelerated growth is to be expected.
While these may be accurate predictions, annual planning sessions offer the unique opportunity to look not only at if cloud technologies will change your business, but to take a page from Drucker, to also ask why and how. In articulating an IT strategy around cloud initiatives, consider some of the largest media stories in 2013, and how shortcoming in traditional technology architecture management resulted in data loss and increased risk: theEvernote password compromise in March, the access and release of thousands of federal employees’ personally identifiable information from the Federal Reserve in August, the massive credit card theft from Target’s stores in December. All played out differently, but there is a theme here: legacy system administration, where the responsibility for platformsecurity falls to internal resources, is problematic at best.
In moving to the cloud, much of this risk can be mitigated. I have written in previous articles about the “halo effect” of cloud adoption, wherein organizations embrace a cloud platform but forget that the responsibility for managing data and account security remains on them. While not entirely true, there is a net benefit in that responsibility forinfrastructure security is handled by the platform provider. Moving data from legacy server rooms into modern cloud environments means a reduction in the number of operating system patches, network security devices, and physical security safeguards against exploits that an IT team needs to manage.
Across the board, it is these core services that are most often responsible for security breaches, and it makes good business sense to allow them to be managed by a team with far more specialized experience than any generalist IT team could ever match; a single Google data center has thousands of servers, its own power and climate control systems, and a culture of secrecy so tightly interwoven into Google’s culture that even its own sales and engineering teams operate on a need-to-know basis (and most don’t, say inside sources).
We are beginning to see wider acceptance and adoption of this model, and as a result, a refocusing of IT’s goals away from solely operational tasks and increasingly towards ways to enable increased collaboration, efficiency, and organizational growth. IT is discovering that the same principles that make cloud applications so powerful can be multiplied to other areas of the business, establishing a true enterprise platform, and that their precious time and resources can be dedicated to maximizing that platform’s utility rather than maintaining it in an operational state. This is significant because it opens up a new world of possibilities in terms of collaboration and resources that were previously unavailable to a diversified workforce. Moreover, from a security perspective, they can appreciate that their attention can be spent on ensuring that their data and user base is safe, rather than responding to threats with origins in insecure software or configurations.
This shift in thinking signifies that by adopting cloud based platforms, organizations have recognized that maintaining a large number on-premise systems and applications is rarely a goal worth setting, and that instead of improving the organization, it often exposes increased risk and vulnerability. As we move through 2014, and as new data breaches emerge, will your teams be driving new value, or responding to yesterday’s threats?